I am attempting to write some scripts to match a partial AD user account name into a get-aduser script to return the objects for another routine.
However, the command when executed it returning a parse error
The strange thing is that when checking the syntax of the output, it looks AOK:
PS C:\Users> $ADUserString = "dcro"
PS C:\Users> write-host get-aduser -filter "{SAMAccountName -like '"$ADUserString*'"}"
get-aduser -filter {SAMAccountName -like "dcro*"}
Note: I have used the right-tick character ` prepeding the quotes on the variable to keep them as a string value
So when executing the command:
PS C:\Users> get-aduser -filter "{SAMAccountName -like "$ADUserString*"}"
get-aduser : Error parsing query: '{SAMAccountName -like "dcro"}' Error Message: 'syntax error' at position: '1'.
At line:1 char:1
+ get-aduser -filter "{SAMAccountName -like "$ADUserString*"}"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
+ FullyQualifiedErrorId : Error parsing query: '{SAMAccountName -like "dcro*"}' Error Message: 'syntax error' at position: '1'.,Microsoft.ActiveDirectory.Management.Commands.GetADUser*
However, if I manually type the output from my 'write-host' above, it executes perfectly fine and returns the results I am after:
PS C:\Users> get-aduser -filter {samaccountname -like "dcro*"}
DistinguishedName : CN=Dan*****,OU=A*****port,OU=Development*****************
Enabled : True
GivenName : D****
Name : D*****Cro****
ObjectClass : user
ObjectGUID : 796b**********413-558d*****d73
SamAccountName : dcro*****
SID : S-1******************67
Surname : Cro******
UserPrincipalName : dcro***********
It's pretty odd, and my feeling is that there are some weird special characters at play here.....
Try this:
$ADUserString = "dcro*"
write-host (Get-ADUser -Filter {SamAccountName -like $ADUserString} | Out-String)
Workaround I found was this (not so pretty).
$ADUserString = "dcro"
$AdUserStringWildCard = "$AdUserString*"
Get-ADUser -Filter {SamAccountName -like $AdUserStringWildCard}
Have you tried LDAPFilter anr instead? I know it tends to be iffy but might work in your scenario. It seems good at completing usernames.
Get-ADUser -LDAPFilter "(anr=$ADUserString)"
Related
Set-ADGroup -Identity "St.Department.146" -Replace #{"msExchRequireAuthToSendTo"=$true} -verbose
An error occurs when entering a command. :(
Set-ADGroup : An invalid dn syntax has been specified At line:1 char:1
Set-ADGroup $InternalDistro -Replace #{msExchRequireAuthToSendTo = $T ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : InvalidArgument: (CN=St.Departmen...ublethink,DC=me:ADGroup) [Set-ADGroup], ArgumentExce
ption
FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.SetADGroup
From the error
An invalid dn syntax has been specified
It is clear that the error is occurring due to the Identity Parameter.
You could try the below :
Set-ADGroup -Identity "CN=St.Department.146,OU=Mail Group,OU=STKGroup,DC=doublethink,DC=me" -Replace #{"msExchRequireAuthToSendTo"=$true} -verbose
If you want to avoid any typo, you can do a get group and subsequently pass it to the next step :
$InternalDistro = (Get-ADGroup -filter 'name -eq "St.Department.146"')
Write-Host $InternalDistro[0].DistinguishedName
Set-ADGroup -Identity $InternalDistro[0].DistinguishedName -Replace #{"msExchRequireAuthToSendTo"=$true} -verbose
Ensure there is a output coming in the screen with required DN.
To avoid errors in the Identity parameter, Try and use Get-ADGroup to find the group as object. If that succeeds, pipe the group object through to Set-ADGroup.
Get-ADGroup returns an object with default properties DistinguishedName, GroupCategory, GroupScope, Name, ObjectClass, ObjectGUID, SamAccountName, SID
# try and find the group with that name.
# Use double-quotes around the filter and single-quotes around the name itself.
$groupName = 'St.Department.146'
# instead of property Name, you can also try property DisplayName here
$group = Get-ADGroup -Filter "Name -eq '$groupName'" -ErrorAction SilentlyContinue
if ($group) {
$group | Set-ADGroup -Replace #{msExchRequireAuthToSendTo = $true} -Verbose
}
else {
Write-Warning "A group with name '$groupName' does not exist"
}
In this case, it could very well be the group has a different Name than its DisplayName. In the above code, if you see the warning message that the group does not exist, change
-Filter "Name -eq '$groupName'" into -Filter "DisplayName -eq '$groupName'" and try that.
I am looking for all accounts that have “(FUR)” in the begging of their AD account description. I need these for any and all OUs under Office/Users. All of these accounts that Have “(FUR)” in the description, I need the following exported;
User Logon Name
Description
extensionattribute11
This is what I have come up with so far:
Import-Module ActiveDirectory;
$creds = Get-Credential
$OUPath = 'OU=Standard Users,OU=NY,OU=users,OU=Offices,DC=US,DC=FLN,DC=NET'
Get-ADUser -Properties Description -Filter "(FUR)" -SearchBase $OUPath
This is the error I get:
Get-ADUser : Error parsing query: '(FUR)' Error Message: 'syntax
error' at position: '5'. At line:2 char:1
+ Get-ADUser -Properties Description -Filter "(FUR)" -SearchBase $OUPat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser
When using the -Filter parameter, you must pass a string that contains the syntax propertyName -operator value.
Get-ADUser -Properties Description -Filter "Description -like '(FUR)*'" -SearchBase $OUPath
(FUR)* would match a value that begins with (FUR). You would need to use *(FUR)* if you do not know where (FUR) exists within the value.
See Get-ADUser for a more in-depth description.
I am trying to set up a method in which a user can tell me there username, I plug it in and it will return me their computerName.
//Get the Username
$username = Read-Host -prompt 'Username'
//Get the DistinguishedName and store it
$usernameDN = Get-ADUser $username -properties * | SELECT DistinguishedName
//Get the ComputerName
//This one fails everytime
Get-ADComputer -Filter {ManagedBy -eq $usernameDN} -properties * | SELECT CN,ManagedBy
//Error I receive...almost as if it has to be a string
Get-ADComputer : Invalid value: '' specified for extended attribute:
'ManagedBy'. At line:1 char:1
+ Get-ADComputer -Filter {ManagedBy -eq $usernamedn} -properties * | SE ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADComputer
//So you put it as a string
PS C:\WINDOWS\system32> Get-ADComputer -Filter {ManagedBy -eq '$usernamedn'} -properties * | SELECT CN,ManagedBy
//Error
Get-ADComputer : Identity info provided in the extended attribute:
'ManagedBy' could not be resolved. Reason: 'Cannot find an object with
identity: '$usernamedn' under: 'DC=****,DC=*****'.'. At line:1 char:1
+ Get-ADComputer -Filter {ManagedBy -eq '$usernamedn'} -properties * | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-ADComputer], ADIdentityResolutionException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityResolutionException
,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
//However if you replace the variable with the literal DistinguishedName...it will work
PS C:\WINDOWS\system32> Get-ADComputer -Filter {ManagedBy -eq 'CN=*******\, ***** *.,OU=********,OU=*****,OU=******,DC=*****,DC=******'} -properties * | SELECT CN,ManagedBy
//Result
CN ManagedBy
-- ---------
********* CN=**\, ** *.,OU=***,OU=***,OU=***,DC=***,DC=**
********* CN=**\, ** *.,OU=***,OU=***,OU=***,DC=***,DC=**
So I'm thinking my issue is that the Filter requires it to be string, but I can't figure out the right escape to make the variable read that way.
I tried to do the string formatting as well, but I don't completely understand that yet
Thanks,
I recommend using -LDAPFilter instead of -Filter and using an LDAP filter string:
Get-ADUser -LDAPFilter "(managedBy=$usernameDN)"
It is worth your while to learn the LDAP search filter syntax, since that's what PowerShell has to "translate" the -Filter into anyway.
This was simply an expression problem, your example works fine for me. You are just missing the () inside the {}.
Get-ADComputer -Filter {(ManagedBy -eq $usernameDN)} -properties * | SELECT CN,ManagedBy
I am trying to get the AD user account via Powershell, I need to import the name from csv and retrieve their AD results.
The list is only stored with "Display Name"
test.csv
name
Peter Chan
John Wu
Tom Wong
PS script
$list = Import-Csv '.\test.csv'
foreach ($i in $list) {
Get-ADUser -Filter "Name -eq '$i.name'"
}
Error
Get-ADUser : Error parsing query: 'Name -eq #{name=Peter Chan}.name' Error Message: 'syntax error' at position: '10'.
At line:2 char:1
+ Get-ADUser -Filter "Name -eq $i.name"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
+ FullyQualifiedErrorId : Error parsing query: 'Name -eq #{name=Peter Chan}.name' Error Message: 'syntax error' at
position: '10'.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
When I run Get-ADUser -Filter "Name -like 'Peter Chan'" , I can get the result i want. It shows that it is a array type #{name=Peter Chan}.name, what should I need to change on the code?
Variables get expanded in strings not property expressions.
Change this:
Get-ADUser -Filter "Name -eq '$i.Name'"
TO
Get-ADUser -Filter "Name -eq '$($i.Name)'"
I'm trying to generate a list of computers owned by a particular PDL and I'm encountering some syntax issues:
$group = Get-ADGroupMember -Identity "pdl" | Select-Object -ExpandProperty DistinguishedName
Foreach($item in $group) { Get-ADComputer -Filter "ManagedBy -eq "$item"" -Property managedby | Select Name }
The second part is based on another code snippet that I found elsewhere (I think on StackOverflow as well) which worked just fine:
Get-ADComputer -Filter "ManagedBy -eq 'CN=user#company.com,OU=US,OU=Users,OU=Accounts,DC=americas,DC=company,DC=com'" -Property ManagedBy
But the difference is I could use '' in this one, but adding in $item prevents me from using that.
The syntax error I get back with the first snippet:
Get-ADComputer : A positional parameter cannot be found that accepts argument 'CN=user#company.com,OU=US,OU=Users,OU=Accounts,DC=americas,DC=company,DC=com'.
At D:\Documents\Scripts\uatgroup.ps1:2 char:31
+ Foreach($item in $UATgroup) { Get-ADComputer -Filter "ManagedBy -eq "$item"" -Pr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Anyone know a way to fix the syntax here? Or an alternate method of running this?
This:
"ManagedBy -eq "$item""
Is parsed as three separate strings. Only the first one (ManagedBy -eq) will be bound to the -Filter parameter, the rest will be treated as separate tokens, causing PowerShell to complain that you can't just leave the string CN=... there in the middle of everything.
You can either use single-quotes inside the double-quoted string, to avoid terminating the string early:
Get-ADComputer -Filter "ManagedBy -eq '$item'"
Escape the inline double-quotes with a backtick ( ` ):
Get-ADComputer -Filter "ManagedBy -eq `"$item`""
Or escape them by doubling them:
Get-ADComputer -Filter "ManagedBy -eq ""$item"""